Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Mac authentication & Profiling

This thread has been viewed 82 times

  • 1.  Mac authentication & Profiling

    Posted Jul 19, 2021 02:34 PM
    Hello Experts, 
    I was wondering with the difference could be. I came accross an implementation on clearpass where all printers MAC are added via static-host entries and IAP via profiling. Whats really makes the difference? Printers could still have been added via profiling?  I was told to get an IAP work, it needs to be connected to an untrusted (non enable clearspass) port for clearpass to profile it and later on enable the clearpass on the port before it will work. Can anyone please explain this to me? I am new to this Product. 

    Best regards

    ------------------------------
    Emmanuel Egbewatt
    ------------------------------


  • 2.  RE: Mac authentication & Profiling

    Posted Jul 20, 2021 02:31 AM
    Use of SHL vs profile for the printer may be as simple as not wanting all printers to be allow, but only certain printers. Profiling with SHL can add a little extra, but dhcp-client conf file can be easily edited to make the clients have the same dhcp fingerprint as a printer while you configure your hardware MAC address to spoof the printer. 

    End of the day it is still Mac auth so make sure you also use ACLs to tighten the access down. 

    As for IAP and authenticated ports...
    It depends on the switch and firmware. If we're talking about Aruba switches, it will need to support device port-mode. 

    Something like:
    aaa authorization user-role name "IAP-ROLE-NAME"
    vlan-id 999
    vlan-id-tagged 123,124
    device
        poe-priority high 
        port-mode
        exit
    exit



    Original Message


  • 3.  RE: Mac authentication & Profiling

    Posted Jul 20, 2021 05:02 AM
      |   view attached
    The basic ClearPass profiling is based around profiling a device based on its DHCP packets (these packet are usually relayed to the ClearPass - as well as the DHCP server). If the device has a static IP address then, clearly, ClearPass will not be able to profile this device.
    ClearPass also has proactive profiling: SNMP, SSH (really only useful for Linux based devices), WMI and NMAP (can be very inaccurate - best to use in conjunction with one of the other profiling techniques, but very useful to distinguish servers with a specific job role - eg print servers).
    SNMP is possibly the most useful and very accurate, but ClearPass does not have many SNMP fingerprint. This is OK as you can add your own fingerprint. Have a look at the attached document as it might give you some ideas...

    ------------------------------
    Derin Mellor
    ------------------------------

    Attachment(s)

    docx
    Enhanced ClearPass Active Profiling.docx   4.47 MB 1 version
    Original Message


  • 4.  RE: Mac authentication & Profiling

    Posted Jul 20, 2021 05:24 AM
    Thanks for the responds
    Original Message


  • 5.  RE: Mac authentication & Profiling

    MVP EXPERT
    Posted Jul 20, 2021 09:15 AM
    I don't like the use of Static Host Lists (SHL) and better use a attribute in the endpoint repository. This way keep all endpoints in one place. With SHL's static mac-addresses can be configured different SHL's in the same time what can cause policy issues and management challenges.

    When use the endpoint repository there is always a single place of mac adress registration and attributes can be used in the policy enforcements. Endpoint Attributes can also be automatic filled with post-authentications based on (DHCP) profiling.

    See also the ClearPass Wired Policy Solution Guides

    Also see the Aruba youtube channel "ABC networking" with a lot of examples.

    ------------------------------
    Marcel Koedijk | MVP Guru 2021 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opionions are my own
    ------------------------------

    Original Message


  • 6.  RE: Mac authentication & Profiling

    MVP GURU
    Posted Jul 22, 2021 04:20 AM
    Thanks Derin for the doc !

    ------------------------------
    PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

    PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

    PowerArubaCL: Powershell Module to use Aruba Central

    PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

    ACEP / ACMX #107 / ACDX #1281
    ------------------------------

    Original Message


  • 7.  RE: Mac authentication & Profiling

    Posted Feb 27, 2023 01:52 PM

    The basic ClearPass profiling is based around profiling a device based on its DHCP packets (these packet are usually relayed to the ClearPass - as well as the DHCP server). 

    how does profiling work when for example the Mobility Controller acts as DHCP Server? I think that a local DHCP Scope on the Mobility Controller and DHCP-Relay/IP Helper are mutually exclusive?! so how can DHCP fingerprinting be done on Clearpass in that case?


    Original Message


  • 8.  RE: Mac authentication & Profiling

    EMPLOYEE
    Posted Mar 01, 2023 05:36 AM

    On many types of equipment, DHCP server and relay are mutually exclusive. If you have a central DHCP server you could point ip helpers to both ClearPass and the real DHCP server, if you don't you can see if there is another device in the subnet that can do the ip helper/dhcp relay to ClearPass.

    It's not really recommended to use the controller's DHCP server unless you really can't otherwise. The features are limited and it's more used for those situations where you really can't do anything else. Same situation may apply on some switch scenarios, but in networks that are a bit larger than lab networks, I see in general the use of an external DHCP server to provide proper central control/logging/monitoring.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 9.  RE: Mac authentication & Profiling

    Posted Mar 04, 2023 05:21 AM

    @Herman Robers I´ve to say that I currently use the Controllers integrated DHCP-Server function only in my lab - on the productive network I´ve a dedicated Windows Server acting as DHCP, so I´m not able to try it in my lab first, but I´ll check it in the live system :)

    For Device Profiling I´ll have to use the CPPM or does the Controller offer that eventuality also?


    Original Message


  • 10.  RE: Mac authentication & Profiling

    EMPLOYEE
    Posted Mar 08, 2023 07:02 AM

    The controller will do fingerprinting as well (different name), but it's just less advanced. You can use IF-MAP to share those fingerprints with ClearPass, but I have not used that for years as the profiling from ClearPass gives me better results.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 11.  RE: Mac authentication & Profiling

    EMPLOYEE
    Posted Jul 21, 2021 05:19 AM
    You can for IAP do the same profiling as you do for your other devices, like place unknown devices in a role/VLAN that can be used to profile the device, and trigger a re-authentication after profiling.

    For Instant AP, if you don't want to authenticate your clients on the switch port (as they are supposed to be authenticated on the AP, or Access Control is done on the AP), you will need to return a RADIUS attribute to switch the port to 'port mode' which just authenticates the AP, and leaves all other clients through transparently. The attribute needed is:
    Radius:Hewlett-Packard-Enterprise HPE-Port-MA-Port-Mode = Port-Based (1)

    The Wired Enforcement Solution Guide would be your first starting point to get profiling working. I agree that the use of Static Host Lists is deprecated as they are not so flexible and hard to troubleshoot. Putting attributes in the Endpoint Repository works as good, or better.


    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message